#!/bin/bash
# SEC-CI-HT-649
file_path="/etc/pam.d/password-auth"
keyword="auth        required    pam_faillock.so  deny=5 unlock_time=900"
if grep -q "$keyword" "$file_path"; then
    echo "文件 $file_path 中存在关键字 $keyword"
else
    echo "文件 $file_path 中不存在关键字 $keyword 执行插入"
    echo $keyword >> $file_path
fi

# SEC-CI-HT-615
file_path="/etc/logrotate.d/syslog"
keyword="rotate 3"
if grep -q "$keyword" "$file_path"; then
    echo "文件 $file_path 中存在关键字 $keyword"
else
    echo "文件 $file_path 中不存在关键字 $keyword 执行插入"
    echo $keyword >> $file_path
fi

# SEC-CI-HT-648
file_path="/etc/logrotate.d/syslog"
keyword="size 10M"
if grep -q "$keyword" "$file_path"; then
    echo "文件 $file_path 中存在关键字 $keyword"
else
    echo "文件 $file_path 中不存在关键字 $keyword 执行插入"
    echo $keyword >> $file_path
fi

#SEC-CI-HT-613
#修改umask到027
sed -i 's/umask 002/umask 027/' /etc/profile
sed -i 's/umask 002/umask 027/' /etc/csh.cshrc
sed -i 's/umask 002/umask 027/' /etc/bashrc

#SEC-CI-HT-616
sed -i 's/# minlen = 8/minlen = 8/' /etc/security/pwquality.conf
sed -i 's/# dcredit = 0/dcredit = -1/' /etc/security/pwquality.conf
sed -i 's/# ucredit = 0/ucredit = -1/' /etc/security/pwquality.conf
sed -i 's/# lcredit = 0/lcredit = -1/' /etc/security/pwquality.conf
sed -i 's/# ocredit = 0/ocredit = -1/' /etc/security/pwquality.conf

# SEC-CI-HT-616
file_path="/etc/security/pwquality.conf"
keyword="enforce_for_root  root"
if grep -q "$keyword" "$file_path"; then
    echo "文件 $file_path 中存在关键字 $keyword"
else
    echo "文件 $file_path 中不存在关键字 $keyword 执行插入"
    echo $keyword >> $file_path
fi

#SEC-CI-HT-637
sed -i 's/PASS_MIN_DAYS    6/PASS_MIN_DAYS    5/' /etc/login.defs
sed -i 's/PASS_WARN_AGE    30/PASS_WARN_AGE    5/' /etc/login.defs



# 系统中不允许存在如下开发工具和编译工具：SEC-CI-HT-650
#Tcpdump   Gdb   strace   dexdump   cpp   gcc
#tcpdump、ethereal、wireshark等嗅探工具不允许出现在系统上，防止被恶意使用
wait $!
yum remove -y tcpdump
wait $!
yum remove -y wireshark
wait $!
yum remove -y ethereal
wait $!
yum remove -y gdb
wait $!
yum remove -y gdb-headless-8.2-11.el8.x86_64
wait $!
yum remove -y strace
wait $!
yum remove -y dexdump
wait $!
yum remove -y cpp
wait $!
yum remove -y gcc